METHOD FOR MANAGING AN EXECUTABLE CODE DOWNLOADED IN A 
REPROGRAMMABLE ON-BOARD SYSTEM 



The invention concerns a method of managing an 
executable code designed to be downloaded, in particular 
into an on-board microprocessor computer system. 

In general terms, the present invention applies to 
any on-board system, reprogrammable by downloading a 
program consisting of an executable code, in the form of 
a series of instructions executable by the microprocessor 
of the on-board system. The invention finds a 

particularly advantageous application in a context where 
the executable code consists of an intermediate object 
code, executable by the microprocessor of the on-board 
system by means of an interpreter for the intermediate 
code, commonly referred to as a virtual machine, provided 
with an execution stack and registers of operands 
manipulated by these instructions and making it possible 
to interpret this intermediate code. 
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More particularly , the description that follows 
concerns the application of the invention in the context 
of reprogrammable microprocessor cards of the JavaCard 
type. 

5 The microprocessor cards of the JavaCard type are in 

fact reprogrammable by means of an operation of 
downloading a small program, referred to as an "applet" 
in English terminology. 

For reasons of portability between different on- 

10 board computer systems, an applet is in the form of a 
code for a standard virtual machine. This code, written 
in binary form, serves as an intermediary between the 
source code and the executable binary code and is 
obtained for example by using a Java compiler. This 

15 intermediate code, "bytecode" according to the English 
terminology, is therefore not directly executable by the 
microprocessor of the card but must be interpreted in a 
software fashion by a binary code interpreter called a 
virtual machine. It suffices for the card in which the 

20 applet written in intermediate language is to be executed 
to be provided with a minimum of specific data processing 
resources forming the program constituting the virtual 
machine. In the aforementioned example of cards of the 
JavaCard type, the virtual machine used is a sub-assembly 

25 of the Java virtual machine. 

The operation of downloading applets onto an on- 
board computer system provided with an intermediate-code 
interpreter poses a certain number of security problems. 
30 Thus an applet that is unintentionally badly written may 
incorrectly modify data already present on the system, 
prevent the main program from being executed correctly, 
or modify other applets previously downloaded, by making 
them unusable or harmful. 



2 



- Also, using an applet written for a malevolent 
purpose, it is possible to perform an operation of 
duplicating memory areas in the card and/or imperilling 
the correct functioning of the chip card. It then 
5 becomes possible to have access to confidential or 
unauthorised data stored in the system, such as the 
access code in the case of a bank card for example, or 
attacking the integrity of one or more applications 
present on the card. Finally, if the card is connected 
10 to the outside world, the malf unctionings caused can be 
propagated outside the card. 

Thus solutions have been proposed to remedy the 
security problems involved in the operation of 
15 downloading an intermediate code (bytecode) onto an on- 
board computer system provided with an intermediate-code 
interpreter, such as the aforementioned example of the 
JavaCard. 

20 One solution consists of carrying out dynamic access 

and typing checks during the execution of the applets. 
The virtual machine then carries out a certain number of 
checks during the execution of the applets, such as: 

25 Control of access to the memory: at each reading or 

writing in a memory area, the virtual machine checks the 
right of access of the applet to the corresponding data; 

Dynamic verification of the data types: at each 
30 instruction from the applet, the virtual machine verifies 
that the constraints on the data types are satisfied; 

Detection of stack overflows and illegal accesses to 
the execution stack of the virtual machine. 

35 This solution does however have the drawback of a 

very significant slowing down in execution, caused by all 
the dynamic checks. Such checks also increase the 
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requirements - in terms of random access - and permanent 
memory of the system, because of the additional 
information of the type that it is necessary to associate 
with the data being manipulated. 

5 Another solution then consists of specifying the 

intermediate code (bytecode) so that it is possible to 
check that the program is inoffensive statically (that is 
to say during the downloading operation and before its 
execution) . This is performed by a security device 
10 called a verifier. For security reasons, JavaCard cards 
must therefore possess an on-board verifier. 

Although it allows an execution of the intermediate 
code that is much more rapid compared with the dynamic 

15 verification process, such a static verification process 
does however have the drawback of being expensive, both 
in terms of code size necessary for conducting this 
process and in terms of random access memory size 
necessary for containing the intermediate results of the 

20 verification, and in terms of calculation time. 

Starting from the principle stated in the latter 
solution, patent application FR 2 797 963 (Dl) presents a 
protocol for managing a downloaded intermediate code 

25 associated with a process of static verification of this 
intermediate code during its downloading, which allows 
secure execution of the latter by the on-board computer 
system. In this way advantageously a verifier is 

obtained that is much simpler and much less expensive in 

30 terms of code size necessary. 

The central idea of Dl is to convert the 
intermediate code off card before it is downloaded in 
order to simplify its verification once it has been 
35 downloaded and stored in the card. A phase of 

transformation of the intermediate code is therefore 
carried out off card and it is a case consequently of a 
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modified- -standardised- intermediate code that- is 
downloaded into the card, rather than the original 
intermediate code obtained by the use of a Java compiler. 
Thus the intermediate code transformed off card will be 
5 more easily verified in static mode according to a 
predefined verification process since it will have been 
transformed into a standardised intermediate code a 
priori satisfying the verification criteria of the 
predefined verification process that is the object of Dl . 
10 This prior transformation phase carried out off card 
therefore advantageously accelerates the verification 
process. For a detailed description of this solution, 
reference can be made to the text of Dl . 

15 However, one drawback of the method proposed in Dl 

is that it does not make it possible to make the 
verification process of the intermediate code on which it 
is based cohabit with a signature system of this 
intermediate code. Thus Dl does not make it possible to 

20 have an intermediate code that it is firstly verifiable 
in a simple and rapid fashion and secondly signed. This 
is because the method proposed by Dl makes provision for 
transforming the intermediate code off card before it is 
downloaded as explained above and consequently the 

25 signature of the developer of the code (or of any other 
person authorised to sign the code) effected before the 
transformation imposed off card on the intermediate code 
becomes, because of the very fact of this modification, 
invalid. As a result the signature is then no longer 

30 verifiable by the card. 

However, the possibility left for the card to be 
able to verify the signature of the downloaded 
intermediate code is also very important in terms of 
35 security. This is because the prior verification of the 
intermediate code before it is executed does not make it 
possible to ensure that the intermediate code does not 
contain any "Trojan horse". This is because only a 
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manual analysis makes it possible to check that an - 
intermediate code, even if it is correct vis-a-vis the 
verification, is not aggressive and this check cannot be 
carried out by the card. More precisely, the card can in 
5 fact only verify the validity of a signature attesting 
that this manual check on the intermediate code was 
carried out correctly. Hence the importance of being 
able to implement the downloading of an intermediate code 
having a valid signature. 

10 The aim of the present invention, which is based on 

these various findings, is to mitigate the aforementioned 
drawbacks related to the use of the verification method 
that is the object of Dl. 

15 With this objective in view, the invention aims more 

particularly to make a signature system cohabit with the 
verification system proposed by Dl during the downloading 
of an intermediate code into a reprogrammable on-board 
computer system provided with an intermediate-code 

20 interpreter, without however dispensing with the 
advantages procured by the verification system according 
to Dl, in particular in terms of simplicity and speed. 

More generally, one object of the invention is the 
25 use of a method of managing an executable code to be 
downloaded, intermediate or not, allowing the 
verification of a signature of this code by an on-board 
computer system such as a microprocessor card, while 
leaving the opportunity to effect a transformation of the 
30 executable code with a view to a predefined specific use. 
For example, the transformation of the original 
executable code may wish to aim at improving its 
verification at the time of its downloading according to 
the principles of the verification process set out in Dl, 
35 when it is a case of an intermediate code executed by 
means of a virtual machine, or improving its speed of 
execution by the microprocessor of the card, without such 
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a - trans format ion being able to impair the -validity- of- the - 
signature and therefore its verification by the card. 

To this end, the invention therefore concerns a 
5 method of managing an original executable code forming a 
program intended to be downloaded into a reprogrammable 
on-board computer system such as a microprocessor card, 
the said code possessing a cryptographic signature and 
being executable by the microprocessor of the on-board 
10 system after verification by the latter of the validity 
of the said signature, the said method comprising the 
steps consisting of at least: 

off card: - identifying a modified executable 
15 code corresponding to the original code, adapted to a 
predefined specific use; - from variations between the 
data of the original code and the corresponding modified 
code, calculating a software component which, when it is 
applied to the original code, makes it possible to 
20 reconstruct the modified code; and - signing the said 
software component ; 

downloading the signed original code and the 
signed software component into the card; 

25 - on card: - verifying the signatures 

respectively of the original code and of the software 
component; - applying the software component to the 
original code so as to reconstruct the modified code for 
its execution by the microprocessor. 

30 In a variant, the original executable code consists 

of an intermediate code, executable by the on-board 
system microprocessor by means of a virtual machine 
making it possible to interpret this intermediate code. 

35 According to a first embodiment, in relation to the 

said variant, the virtual machine is provided with an 
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execution stack and the downloaded software component , 
applied on card to the original intermediate code, makes 
it possible to reconstruct a modified intermediate code a 
priori satisfying criteria of verification of the said 
5 intermediate code according to which the operands of each 
instruction of the said code belong to the types of data 
manipulated by this instruction and, at each target 
switching instruction, the execution stack of the virtual 
machine is empty. 

10 Preferably, the modified intermediate code obtained 

by applying the software component is verified, before it 
is executed by the microprocessor by means of the virtual 
machine, according to a process verifying that the 
modified intermediate code satisfies the verification 

15 criteria . 

According to another embodiment, the downloaded 
software component, applied on card to the original code, 
. makes it possible to reconstruct a modified code such 
20 that its execution is more rapid with respect to that of 
the original code. 

According to another embodiment, the downloaded 
software component, applied on card to the original code, 
25 makes it possible to reconstruct a modified code such 
that it procures an optimisation in terms of size 
compared with the original code. 

Other characteristics and advantages of the 
30 invention will emerge more clearly from the description 
given below, by way of indication and in no way 
limitingly, with reference to the following figures, in 
which: 

35 Fig. 1 illustrates schematically the 

steps of the method performed off card; 
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Fig. 2 illustrates schematically the 
step of downloading into the card the original 
intermediate code and the associated software 
5 component dedicated to a predefined specific 

use, and 

Fig. 3 illustrates schematically the 
steps of the method performed on card. 

10 The description that will follow is more 

particularly oriented towards an application of the 
invention in an open system context, and more 
particularly that of reprogrammable microprocessor cards 
of the JavaCard CP type as depicted in Figure 2, where 

15 the downloaded original code is an intermediate code 
executed by the microprocessor by means of a virtual 
machine. However, the fact must not be lost from view 
that the method according to the invention also applies 
to a context where the downloaded card is not an 

20 intermediate code but a code directly executable by the 
microprocessor of the on-board system. 

Such reprogrammable systems therefore add the 
possibility of enhancing the executable program after the 

25 system is brought into service by an operation of 
downloading an applet. The applet that is to be 

downloaded is in the form of an original executable code 
CI, consisting in this example of an intermediate code 
for a virtual machine, typically a sub-assembly of the 

30 Java virtual machine resident in the memory of the card. 
Thus, once the intermediate code CI has been generated, 
an auditor is brought into play in order to verify that 
the intermediate code CI does not contain a Trojan horse. 

35 Where the intermediate code CI does not actually 

contain any malicious program of this type, the auditor 
signs the intermediate code CI. The cryptographic 
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signature SIGN can be made using any electronic signature 
mechanism available to persons skilled in the art. The 
intermediate code CI signed can then be used on any 
JavaCard and therefore possesses a signature SIGN 
5 attesting to its innocuousness and able to be verified by 
the card at the time of its downloading. The 
verification of the electronic signature consists of 
verifying that the signature is valid. 

10 One essential characteristic of the invention 

consists of downloading the original intermediate code 
CI, that is to say not modified, into the card CP and 
adding to it a software component CL making it possible, 
when it is applied to the original intermediate code, to 

15 calculate a modified intermediate code CI' adapted to a 
predefined specific use. In the figures the original 
intermediate code CI is shown diagrammatically by code 
lines in continuous lines, whilst the corresponding 
modified intermediate code CI' is shown diagrammatically 

20 by code lines in continuous lines and dotted lines. 

According to the invention, the supplementary 
software CL to be applied to the signed original 
intermediate code CI is calculated off the card according 

25 to the original intermediate code CI and the 
corresponding modified intermediate code, identified for 
a predefined specific use. In the same way as for the 
original intermediate code CI, the software component CL 
is signed and therefore has a signature SIGN' able to be 

30 verified. 

The main application of the invention is to be able 
to make a signature system cohabit with the verification 
system proposed by Dl during the downloading of the 
35 intermediate code into the card. Thus, in the context of 
this application, the intermediate code CI' is a modified 
intermediate code adapted to the predefined specific use 
consisting of a priori satisfying the verification 
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criteria for the verification process that is the object 
of Dl. Thus, in the main application of the invention, 
the software component is calculated so that, once 
applied to the original intermediate code CI, a modified 
5 intermediate code CI' is obtained that is standardised 
according to the teaching of Dl so as to a priori satisfy 
the verification criteria of the verification process 
that is the object of Dl . In particular, the 

standardised intermediate code according to Dl is such 

10 that the operands of each instruction belong to the types 
of data manipulated by this instruction and the execution 
stack of the virtual machine is empty at .each target 
switching instruction* For a more detailed description, 
the reader can usefully refer to the text of Dl. 

15 However, it would be departing from the scope of the 
present application to detail here the calculations 
making it possible to end up with the software component 
as defined, which are more known to persons skilled in 
the art. 

20 The original intermediate code CI and the associated 

component CL are then downloaded into the card CP, see 
Figure 2. The software component CL therefore travels 
with the original intermediate code CI and is intended to 
be applied on card to the original intermediate code, 

25 once stored with the latter in a rewriteable permanent 
memory of the card. 

The card first of all verifies that the signature 
SIGN of the intermediate code CI is valid, so as to 
30 ensure that the latter does not include any Trojan horse 
nor any other malicious code of the same type. The card 
also verifies the validity of the signature SIGN' of the 
software component CL in order to ensure that it too does 
not contain a Trojan horse. 

35 Once these prior signature verification operations 

have been successfully performed, the card applies the 
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Software component CL to the original intermediate code 
CI, see Figure 3, so as to reconstruct the modified code 
CI' adapted to the predefined specific use consisting, in 
the main embodiment of the invention, of a priori 
5 satisfying the verification criteria of the verification 
process that is the object of Dl . 

The card can then verify the modified intermediate 
code before it is executed by the microprocessor by means 

10 of the virtual machine using the verification techniques 
employed in the static verification process of a fragment 
of program that is the object of Dl . Thus the 

verification process consists of verifying that the 
modified intermediate code CI' satisfies the 

15 aforementioned verification criteria, namely that the 
operands of each instruction of the modified code belong 
to the types of data manipulated by this instruction and, 
at each target switching instruction, the execution stack 
of the virtual machine is empty . The reader is requested 

20 to refer to the text of Dl for more details, which would 
be superfluous in the context of the present application. 

Then, once the verification of the modified 
intermediate code has been conducted according to the 
25 principles of the verifier that is the object of Dl, the 
modified intermediate code is executed by the 
microprocessor by means of the virtual machine. 

Thus the method according to the invention makes it 
30 possible to make a signature system cohabit 
advantageously with the verification system proposed by 
Dl during the downloading of an intermediate code into a 
reprogrammable on-board computer system. It is therefore 
possible to download signed applets into the card and to 
35 enable the card to verify this signature whilst resulting 
in a verification process as disclosed in Dl . This is 
made possible by virtue of the software component to be 
downloaded at the same time as the signed original 
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intermediate code, which makes it possible, when it is 
applied on card to the latter, to obtain a modified 
intermediate code complying with the principles of the 
simple fast verifier disclosed in Dl. 

5 The intermediate code downloaded into the card 

according to the invention being the original 
intermediate code, its signature is not made invalid by 
any modification process effected off card and, 
consequently, the card, is in a position to verify its 
10 signature before its execution. 

However, though the main application that is being 
presented concerning a software component adapted for the 
purpose of verification of the intermediate code 
15 according to the principles disclosed in Dl, the 
invention is in no way limited to such an application. 

In general, the invention applies to the downloading 
into a reprogrammable on-board system of an original 

20 executable code, intermediate or not according to the 
system, and of an associated software component such 
that, when it is applied on card to the original code, 
the software component makes it possible to reconstruct a 
modified code adapted for a predefined specific use. The 

25 purpose can therefore be other than the obtaining of a 
modified code permitting the application of the 
verification process according to Dl . 

In particular, the predefined specific use to which 
30 the modified code responds can correspond to an 
optimisation in terms of time of the execution of the 
code. Thus the software component downloaded with the 
original code can be calculated so that the original 
code, once modified on card by application of the 
35 component, is executed more rapidly. In this application 
of the invention, the downloaded software component 
applied on card to the original code therefore makes it 
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possible to reconstruct a modified code such that its 
execution is more rapid compared with that of the 
original code. 

5 Equally, the software component downloaded with the 

original code can be calculated so that the original 
code, once modified on card by application of the 
component, occupies less memory space. In this 

application of the invention, the downloaded software 
10 component, applied on card to the original code, 
therefore makes it possible to reconstruct a modified 
code such that it procures an optimisation in terms of 
size compared with the original code. 

15 The example given below by way of illustration 

concerns a concrete case of application on card of a 
software component to an original intermediate code with 
a view to obtaining an optimisation in terms of speed of 
execution and size of the downloaded original code. In 

20 this example, the downloaded original intermediate code 
describes a normal operation performed in the chip card 
programs consisting of recovering the least significant 
byte of a 16-bit word placed on the stack. 

25 Let therefore the following original intermediate 

code (symbolic notation and Java operation code) be: 

0x11 sspush 255 
0x00 

30 OxFF 

0x53 sand ; 

This code makes it possible to recover the least 
significant byte of a 16-bit word placed on the stack. 
35 For this, it is necessary to stack a 16-bit word whose 
most significant byte is at 0x00 and whose least 
significant byte is at OxFF (sspush 255), and then do a 
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logic AND between the two 16-bit words on the stack 
(sand) . 

And let the corresponding replacement code be: 
0xC9 Xsand_255 ; 

In this particular example, the function of the 
downloaded software component intended to be applied on 
card to the original intermediate code is to replace the 
series of instructions 0x11, 0x00, OxFF, 0x53 with the 
replacement code OxC9, in order thus to obtain a modified 
intermediate code for performing the same operation but 
procuring a saving of 6 bytes compared with the original 
intermediate code and therefore an optimisation in terms 
of size and speed when it is executed by the 
microprocessor by means of the virtual machine. 

Other applications can of course be envisaged 
without for all that departing from the scope of the 
present invention . 
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